Offline bruteforce attack on
WiFi Protected Setup
Dominique Bongard
Founder
0xcite, Switzerland
@reversity
§  Protocol aiming at easily connecting to protected WiFi networks
§  Two main modes: Push-Button and 8 digit PIN code
§...
Stefan Viehböck
Stefan Viehböck
§  Brute force each half of the PIN
§  Maximum 10‘000 tries + 1‘000 tries
§  No limitation on number of tries in many A...
STA
Nonce
E-Hash1 E-Hash2 HMAC
AES(HMAC(PIN1),E-S1) AES(HMAC(PIN2),E-S2)
§  If we can guess E-S1 and E-S2, we can the
brute force PIN1 and PIN2 offline!
§  Pixie dust attack!
§  Usually with pseudo-random generators (PRNG)
§  Often insecure PRNG
§  No or low entropy
§  Small state (32 bits)
§...
int rand_r( unsigned int *seed ) {
unsigned int s=*seed;
unsigned int uret;
s = (s * 1103515245) + 12345; // permutate see...
AP Nonce Description PK
§  Linear Congruential Generator
§  32 bits state
§  No external entropy
§  E-S1 and E-S2 generated right after the No...
§  Do the WPS protocol up to message M3
§  Get the Nonce from M1
§  Bruteforce the state of the PRNG
§  Compute E-S1 a...
§  Linear Feedback Shift Register (LFSR)
§  Broken
§  Doesn‘t matter the keys are always NULL !!
§  Some AP have the same state at each boot
§  Make a list of common states after reboot
§  Attack the AP right after b...
§  Trigger the breakers
§  DDOS the AP
§  Jam the signal until the target reboots the AP
§  Looks okay
§  Uses /dev/random
§  Found in Atheros SDK
§  But you never know
§  Several papers attack the entropy ...
§  It‘s complicated
§  Many of the implementations are the reference
code for the chipset
§  Only the GUI is reskinned
...
§  Disable WPS now !
§  Reverse engineers: Check other AP for bad PRNG
§  Cryptographers: Check if good PRNG are okay
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup
Offline bruteforce attack on WiFi Protected Setup
Upcoming SlideShare
Loading in...5
×

Offline bruteforce attack on WiFi Protected Setup

382,751

Published on

Offline bruteforce attack on WiFi Protected Setup

Published in: Technology
1 Comment
47 Likes
Statistics
Notes
  • I have made a modification in reaver to automatize the process, here is the github - https://github.com/t6x/reaver-wps-fork-t6x
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
382,751
On Slideshare
0
From Embeds
0
Number of Embeds
165
Actions
Shares
0
Downloads
940
Comments
1
Likes
47
Embeds 0
No embeds

No notes for slide

Offline bruteforce attack on WiFi Protected Setup

  1. 1. Offline bruteforce attack on WiFi Protected Setup Dominique Bongard Founder 0xcite, Switzerland @reversity
  2. 2. §  Protocol aiming at easily connecting to protected WiFi networks §  Two main modes: Push-Button and 8 digit PIN code §  Gives the WPA passphrase to stations providing the right PIN §  Poor design and implementation
  3. 3. Stefan Viehböck
  4. 4. Stefan Viehböck
  5. 5. §  Brute force each half of the PIN §  Maximum 10‘000 tries + 1‘000 tries §  No limitation on number of tries in many AP §  Takes a few hours (depends on the AP) §  Largely slowed down in new devices (lock-out) §  Many AP still sold with WPS PIN activated
  6. 6. STA Nonce E-Hash1 E-Hash2 HMAC AES(HMAC(PIN1),E-S1) AES(HMAC(PIN2),E-S2)
  7. 7. §  If we can guess E-S1 and E-S2, we can the brute force PIN1 and PIN2 offline! §  Pixie dust attack!
  8. 8. §  Usually with pseudo-random generators (PRNG) §  Often insecure PRNG §  No or low entropy §  Small state (32 bits) §  Can the PRNG state be recovered ?
  9. 9. int rand_r( unsigned int *seed ) { unsigned int s=*seed; unsigned int uret; s = (s * 1103515245) + 12345; // permutate seed uret = s & 0xffe00000;// Only use top 11 bits s = (s * 1103515245) + 12345; // permutate seed uret += (s & 0xfffc0000) >> 11;// Only use top 14 bits s = (s * 1103515245) + 12345; // permutate seed uret += (s & 0xfe000000) >> (11+14);// Only use top 7 bits retval = (int)(uret & RAND_MAX); *seed = s; return retval; }
  10. 10. AP Nonce Description PK
  11. 11. §  Linear Congruential Generator §  32 bits state §  No external entropy §  E-S1 and E-S2 generated right after the Nonce
  12. 12. §  Do the WPS protocol up to message M3 §  Get the Nonce from M1 §  Bruteforce the state of the PRNG §  Compute E-S1 and E-S2 from the state §  Decrypt E-Hash1 and E-Hash2 §  Bruteforce Pin1 and Pin2 §  Do the full WPS protocol and get the passphrase
  13. 13. §  Linear Feedback Shift Register (LFSR) §  Broken §  Doesn‘t matter the keys are always NULL !!
  14. 14. §  Some AP have the same state at each boot §  Make a list of common states after reboot §  Attack the AP right after boot
  15. 15. §  Trigger the breakers §  DDOS the AP §  Jam the signal until the target reboots the AP
  16. 16. §  Looks okay §  Uses /dev/random §  Found in Atheros SDK §  But you never know §  Several papers attack the entropy of the linux PRNG in embedded systems
  17. 17. §  It‘s complicated §  Many of the implementations are the reference code for the chipset §  Only the GUI is reskinned §  Therefore many brands are affected §  Many vendors use different chipset §  Even for the same model number
  18. 18. §  Disable WPS now ! §  Reverse engineers: Check other AP for bad PRNG §  Cryptographers: Check if good PRNG are okay
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×